VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 5, 2010· Updated Apr 29, 2026

CVE-2010-3737

CVE-2010-3737

Description

Memory leak in the Relational Data Services component in IBM DB2 UDB 9.5 before FP6a allows remote authenticated users to cause a denial of service (heap memory consumption) by executing a (1) user-defined function (UDF) or (2) stored procedure while using a different code page than the database server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Memory leak in IBM DB2 9.5 allows authenticated users to cause denial of service via UDFs or stored procedures when client and server code pages differ.

Vulnerability

A memory leak exists in the Relational Data Services component of IBM DB2 UDB 9.5 prior to Fix Pack 6a (FP6a). The leak is triggered when a remote authenticated user executes a user-defined function (UDF) or stored procedure while the client application and database server use different code pages, and the connection concentrator is enabled. The connection concentrator is activated when max_connections exceeds max_coordagents [1].

Exploitation

An attacker must have valid authentication credentials to the database. The attacker then repeatedly executes a UDF or stored procedure from a client with a code page different from the server's. The connection concentrator must be enabled. Each execution leaks heap memory, which accumulates over time. The db2pd -db -memblocks appctl top command can be used to observe the growing application heap [1].

Impact

Successful exploitation leads to progressive heap memory consumption, eventually exhausting the application heap. The database server may return error SQL0954C: Not enough storage is available in the application heap to process the statement (SQLSTATE=57011), causing a denial of service for the affected database instance [1].

Mitigation

IBM released Fix Pack 6a (FP6a) and subsequent fix packs (FP7, FP8, FP9, FP10) for DB2 9.5 that resolve this issue [1]. As a workaround, administrators can disable the connection concentrator by setting max_connections equal to or less than max_coordagents [1]. No other mitigations are documented.

References
  1. LI75022: MEMORY LEAK IN APPLICATION HEAP CAUSED BY UDFS OR STORED PROCEDURES WHEN CLIENT AND SERVER HAS DIFFERENT CODE PAGE.

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

11
  • IBM/Db210 versions
    cpe:2.3:a:ibm:db2:9.5:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:a:ibm:db2:9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5:fp1:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5:fp2:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5:fp2a:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5:fp3:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5:fp3a:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5:fp3b:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5:fp4:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5:fp4a:*:*:*:*:*:*
    • cpe:2.3:a:ibm:db2:9.5:fp5:*:*:*:*:*:*
  • IBM/DB2 UDBllm-fuzzy
    Range: 9.5 before FP6a

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.